We claim: 



CLAIMS 



1 1 . Dynamic verification of the validity of computer-executable instructions. 

1 2. In a computer that includes at least one processor that executes 

2 instructions stored in a memory, which is organized into separately addressable 

3 memory blocks, a method for verifying the validity of instructions comprising: 

4 for at least one current instruction that has been identified for submission to the 

5 processor for execution, determining an identifying value for a current memory block 

6 that contains the current instruction; 

7 comparing the identifying value of the current memory block with a set of 

8 reference values; 

9 if the identifying value satisfies a validation condition, allowing execution of the 

1 0 current instruction by the processor; and 

1 1 if the identifying value does not satisfy the validation condition, generating a 

12 response; 

13 whereby the current instruction is verified dynamically before being executed. 

1 3. A method as in claim 2, further comprising: 

2 including in the set of reference values at least one validation entry 

3 corresponding to at least one identifying value for predetermined contents of a known, 

4 valid memory block; 

5 in which the validation condition is that the identifying value of the current 

6 memory block matches any validation entry in the set of reference values. 



45 



1 4. A method as in claim 2, further comprising: 

2 including in the set of reference values at least one invalidation entry 

3 corresponding to at least one identifying value for predetermined contents of a known 

4 invalid memory block; 

5 in which the validation condition is that the identifying value of the current 

6 instruction differs from all invalidation entries in the set of reference values. 

1 5. A method as in claim 2, in which: 

2 the step of determining the identifying value of the current memory block 

3 comprises computing a hash value as a function of at least a sub-set of the contents of 

4 the current memory block; and 

5 each reference value is computed as a hash value of at least a sub-set of a 

6 known, reference memory block. 

1 6. A method as in claim 5, in which the step of computing the hash value of 

2 both the current memory block and at least one of the reference memory blocks 

3 comprises computing the respective hash values based on only part of the contents of 

4 both the current and the reference memory blocks. 

1 7. A method as in claim 6, further comprising: 

2 identifying, in at least one reference memory block, non-indicative contents that 

3 are valid but that are at least potentially non-constant such that they do not indicate 

4 validity of the reference memory block as a whole; 

5 before or when computing the hash value for the reference memory block, 

6 applying a mask to the contents of the reference memory block such that the non- 

7 indicative contents do not influence the computed hash value; and 

8 before or when computing the hash value for the current memory block, applying 

9 the mask to the current memory block contents. 
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1 8. A method as in claim 2, further comprising: 

2 for each of a plurality of memory blocks, indicating in a structure whether each 

3 respective block is validated; and 

4 for each current instruction from a memory block whose structure indication is 

5 that it is validated, directly allowing execution of the current instruction. 

1 9. A method as in claim 8, in which the step of indicating in the structure 

2 whether the plurality of memory blocks is validated comprises causing a corresponding 

3 entry to be made in a group of hardware attribute indicators. 

1 10. A method as in claim 9, in which the hardware attribute indicators are 

2 execute and write permission attributes associated with an entry in a translation 

3 lookaside buffer. 

1 1 1 . A method as in claim 8, in which the step of indicating in the structure 

2 whether the plurality of memory blocks is validated comprises making a corresponding 

3 entry in a software data structure. 

1 12. A method as in claim 8, further comprising: 

2 performing the steps of determining the identifying value for the current memory 

3 block and comparing the identifying value of the current memory block with a set of 

4 reference values only for current instructions located in memory blocks not indicated in 

5 the structure as being validated; and 

6 if the identifying value of a current memory block not indicated as being validated 

7 satisfies the validation condition, then setting the corresponding structure indication to 

8 indicate that it is validated. 

1 13. A method as in claim 12, further comprising: 

2 sensing modification of any memory block for which the structure includes an 

3 indication and, upon sensing modification of any such memory block, setting its 

4 indication in the structure to indicate that the memory block is not validated. 
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1 14. A method as in claim 8, further comprising: 

2 determining a branch history for the current instruction; and 

3 checking whether the memory blocks in which instructions in the branch history 

4 are located are validated, the validation condition including the requirement that each 

5 checked memory block in the branch history is validated. 

1 15. A method as in claim 2, further comprising performing the steps of 

2 determining the identifying values for current memory blocks, comparing the identifying 

3 values with the set of reference values, and determining whether the validation 

4 condition has been satisfied only after the occurrence of a triggering event. 

1 16. A method as in claim 15, in which the triggering event is the writing of at 

2 least one new unit of code or data to any physical component within the computer. 

1 17. A method as in claim 15, in which the triggering event is the attempted 

2 execution of any instruction located on any unverified memory block. 

1 1 8. A method as in claim 1 5, in which the triggering event is the attempted 

2 execution of any instruction located on any unverified memory block of newly installed 

3 software. 

1 19. A method as in claim 15, further comprising triggering dynamic verification 

2 depending on the identity of the user of the computer who has caused submission of the 

3 current instruction. 

1 20. A method as in claim 15, further comprising triggering dynamic verification 

2 depending on a context in which the current instruction is submitted for execution. 

1 21 . A method as in claim 20, in which the context is a level of security 

2 clearance associated with the computer, a user of the computer, or a program of which 

3 the current instruction is a part. 
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1 22. A method as in claim 2, further comprising verifying only a sample of the 

2 current instructions. 



1 23. A method as in claim 22, in which the sample is a time-sampled sub-set of 

2 current instructions. 

1 24. A method as in claim 22, in which the sample is a sequentially sampled 

2 sub-set of current instructions. 

1 25. A method as in claim 22, in which the sample is a sub-set of current 

2 instructions sampled spatially, over a range of addresses or equivalent memory block 

3 identifiers. 

1 26. A method as in claim 2, in which the step of generating the response 

2 comprises terminating a software entity with which the current memory block is 

3 associated. 

1 27. A method as in claim 2, in which the step of generating the response 

2 comprises suspending execution of a software entity with which the current memory 

3 block is associated. 

1 28. A method as in claim 2, in which the step of generating the response 

2 comprises posting a message to a user, system administrator, or other predetermined 

3 recipient. 

1 29. In a computer that includes a virtual machine running in a direct execution 

2 mode on an underlying hardware platform via an intermediate software layer, the 

3 method as in claim 2, in which the step of generating the response comprises switching 

4 the execution mode of the virtual machine to binary translation. 
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1 30. In a computer that includes a virtual machine running on an underlying 

2 hardware platform via an intermediate software layer, the method as in claim 2, in which 

3 the step of generating the response includes checkpointing the state of the virtual 

4 machine. 

1 31 . A method as in claim 2, further comprising: 

2 associating different responses with at least two different memory blocks; 

3 upon detection of failure of the current instruction to satisfy the validation 

4 condition, generating the response associated with the memory block in which the 

5 current instruction is located. 

1 32. A method as in claim 2, further comprising: 

2 tracking which programs are being executed within the computer by associating 

3 the reference values with respective predetermined programs, a match between the 

4 identifying value of the current memory block with any validation entry in the set of 

5 reference values indicating execution of the corresponding one of the predetermined 

6 programs. 

1 33. In a computer that includes a virtual machine (VM) running on an 

2 underlying hardware platform via an intermediate software layer operable to switch the 

3 virtual machine between a direct execution mode and a binary translation mode, the 

4 method as in claim 2, further comprising verifying the validity of VM-issued instructions 

5 in conjunction with binary translation of any of the VM-issued instructions. 
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1 34. In a computer that includes at least one processor that executes 

2 instructions stored in a memory, which is organized into separately addressable 

3 memory blocks, a method for verifying the validity of instructions comprising: 

4 computing a set of at least one reference value as a hash value of at least a sub- 

5 set of a known, reference memory block; 

6 upon occurrence of a triggering event, for at least one current instruction that has 

7 been identified for submission to the processor for execution, determining an identifying 

8 value for a current memory block that contains the current instruction by computing a 

9 hash value as a function of at least a sub-set of the contents of a current memory block; 

10 comparing the identifying value of the current memory block with the set of 

1 1 reference values; 

12 if the identifying value satisfies a validation condition, allowing execution of the 

1 3 current instruction by the processor; and 

14 if the identifying value does not satisfy the validation condition, generating a 

15 response; 

16 including in the set of reference values at least one validation entry 

17 corresponding to at least one identifying value for predetermined contents of a known, 

18 valid memory block, 

1 9 the validation condition being that the identifying value of the current memory 

20 block matches any validation entry in the set of reference values; 

21 whereby the current instruction is verified dynamically before being executed. 



51 



1 35. A system for verifying the validity of executable code in a computer 

2 comprising: 

3 at least one processor; 

4 a mechanism for identifying at least one current instruction that has been 

5 identified for submission to the processor for execution; 

6 a memory that is organized into separately addressable memory blocks, the 

7 a verification engine comprising computer-executable code 

8 for at least one current instruction that has been identified for submission 

9 to the processor for execution, for determining an identifying value for a current memory 

1 0 block that contains the current instruction; 

1 1 for comparing the identifying value of the current memory block with a set 

12 of reference values; 

1 3 if the identifying value satisfies a validation condition, for allowing 

14 execution of the current instruction by the processor; and 

15 if the identifying value does not satisfy the validation condition, for 

16 generating a response; 

17 whereby the current instruction is verified dynamically before being executed. 

1 36. A system as in claim 35, further comprising: 

2 at least one validation entry included in the set of reference values corresponding 

3 to at least one identifying value for predetermined contents of a known, valid memory 

4 block; 

5 in which the validation condition is that the identifying value of the current 

6 memory block matches any validation entry in the set of reference values. 

1 37. A system as in claim 35, further comprising: 

2 at least one invalidation entry included in the set of reference values 

3 corresponding to at least one identifying value for predetermined contents of a known 

4 invalid memory block; 

5 in which the validation condition is that the identifying value of the current 

6 instruction differs from all invalidation entries in the set of reference values. 

52 



1 38. A system as in claim 35, further including: 

2 a hashing module within the verification engine comprising computer-executable 

3 code for determining the identifying value of the current memory block by computing a 

4 hash value as a function of at least a sub-set of the contents of the current memory 

5 block; and 

6 for computing each reference value as a hash value of at least a sub-set of a 

7 known, reference memory block. 

1 39. A system as in claim 38, further comprising a sub-set selection structure 

2 for selecting only a sub-set of the current memory block for computation of the 

3 respective hash value. 

1 40. A system as in claim 39, in which the sub-set selection structure is a 

2 mask. 

1 41 . A system as in claim 35, further comprising a structure containing an 



2 indication, for each of a plurality of memory blocks, of whether each respective block is 

3 validated, the verification engine being further provided with computer-executable code 

4 for directly allowing execution of the current instruction for each current instruction from 

5 a memory block whose structure indication is that it is validated. 



1 42. A system as in claim 41 , in which the structure containing the indications 

2 is a group of hardware attribute indicators. 

1 43. A system as in claim 42, in which the hardware attribute indicators are 

2 execute and write permission attributes associated with an entry in a translation 

3 lookaside buffer. 

1 44. A system as in claim 35, further comprising a software module comprising 

2 computer-executable instructions for selecting for verification only a sample of the 

3 current instructions. 
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1 45. A system as in claim 35, further comprising: 

2 a hardware platform that includes the processor(s); 

3 an intermediate virtualization layer; 

4 a virtual machine (VM) running in a direct execution mode or a binary translation 

5 mode on the underlying hardware platform via the intermediate virtualization layer; 

6 the intermediate virtualization layer being provided for switching the execution 

7 mode of the virtual machine to binary translation, 

1 46. A system as in claim 45, in which the verification engine is further provided 

2 for verifying the validity of VM-issued instructions in conjunction with binary translation 

3 of any of the VM-issued instructions. 

1 47. A system as in claim 45, in which the verification engine is further provided 

2 for triggering the intermediate virtualization layer to switch execution of the virtual 

3 machine to the binary translation mode as the response. 
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